http://aws-core-labs.rofriday.com/40_secure_application/index.html DevSecOps with Snyk and AWS Code* Services Estimated Completion Time: 30 minutes Introduction Besides vulnerabilities in the Container Base Image, Snyk also identifies vulnerabilities introduced by the Open Source components in the application. In this module we will learn about Security issues introduced by Open Source dependencies and how to address them with Snyk. Hugo en-US http://aws-core-labs.rofriday.com/40_secure_application/41_integrate_github/index.html Mon, 01 Jan 0001 00:00:00 +0000 http://aws-core-labs.rofriday.com/40_secure_application/41_integrate_github/index.html Integrate Snyk with the Goof GitHub Repo In this example, we will use the Snyk GitHub integration to connect Snyk to the application’s GitHub repository to check for problems in the application’s open source dependencies. Set up GitHub integration Log in to Snyk.io. Sign up if you haven’t already. If this is the first time you’ve used your Snyk account on the website, you may see a screen like this. If so, go ahead and click the “Skip for now” link at the top-right corner of the page. Navigate to Integrations -> Source Control -> GitHub Fill in your Account Credentials to Connect your GitHub Account. Import the Goof Repo into Snyk Now that Snyk is connected to your GitHub Account, import the Repo into Snyk as a Project. http://aws-core-labs.rofriday.com/40_secure_application/42_opensource_exploit/index.html Mon, 01 Jan 0001 00:00:00 +0000 http://aws-core-labs.rofriday.com/40_secure_application/42_opensource_exploit/index.html 🚨 CAUTION 🚨 This section demonstrates exploiting an RCE vulnerability in the TodoList application from the Goof repo. Ensure you understand the security implications and use a controlled, isolated environment to avoid any unintended security risks. Exploiting an RCE vulnerability in the TodoList application The Goof repo TodoList application contains a variety of exploits designed to demonstrate the risks posed by open source vulnerabilities. We’ll demonstrate the infamous Log4Shell vulnerability as an example of an extremenly prolific open source package with a critical CVE that was relatively easy to exploit and gives malicous actors a remote code execution (RCE) vector of attack. http://aws-core-labs.rofriday.com/40_secure_application/43_fix_vulnerabilities/index.html Mon, 01 Jan 0001 00:00:00 +0000 http://aws-core-labs.rofriday.com/40_secure_application/43_fix_vulnerabilities/index.html Fix the vulnerability using a Snyk Pull Request Snyk accelerates remediation via Pull Requests to upgrade dependencies to non-vulnerable versions. Back in Snyk, click into the todolist/todolist-web-struts/pom.xml project. Now scroll down to see the list of vulnerabilities. For each Vulnerability, Snyk displays: The module that introduced it, and, in the case of transitive dependencies, the module that directly depends on it Details on the path and proposed Remediation, as well as the specific vulnerable function. Find the Remote Code Execution (RCE) vulnerability in log4j-core by searching for it in the search bar. Note: It is likely to be at the very top of the list http://aws-core-labs.rofriday.com/40_secure_application/44_redeploy_verify_fix/index.html Mon, 01 Jan 0001 00:00:00 +0000 http://aws-core-labs.rofriday.com/40_secure_application/44_redeploy_verify_fix/index.html Update your VS Code Server working branch Back in VS Code Server, pull the latest changes, including the Snyk Fix, to the working environment. git pull Re-build the Image Now build and push the container to ECR (make sure you are inside the todolist directory). docker build -t $REPO/todolist:latest . docker push $REPO/todolist:latest Re-deploy the Application to EKS After pushing the image to ECR, push it to EKS by scaling the goof deployment with kubectl. The deployment’s ImagePullPolicy forces EKS to pull the latest image from ECR.